For more than a year, the W3C Tracking Protection Working Group (TPWG) has been hard at work developing a standard called Do Not Track (DNT) to provide users with a simple way to opt out of increasingly pervasive and invisible tracking on the web.
The group's face-to-face meeting last week in Amsterdam was unproductive, however, due in large part to an increasingly vocal contingent within the advertising industry. Coming on the heels of a recent media campaign to discredit the Do Not Track standard, some industry members seem to be signaling that they’re not serious about brokering a standard to honor users who prefer not being tracked, and will not accept anything short of an extremely watered down version Do Not Track (“DNT”) standard out of the W3C Working Group. This sudden onslaught and refusal to compromise is baffling given the pledge that the industry made earlier this year to honor DNT.
As part of the working draft of the Do Not Track specification, advertisers and other third parties are generally NOT supposed to collect data about users who have DNT turned on. However, certain exceptions are granted where small amounts of data can be kept for narrow purposes such as being able to comply with certain types of legal audits. Members of the working group who are focused on crafting a fair standard work to identify and define the scope of these exceptions. Yet during the W3C meeting, Rachel Thomas – VP of Government Affairs for the Direct Marketing Association – proposed that a sweeping exception be added for “marketing”:
Marketing fuels the world. It is as American as apple pie and delivers relevant advertising to consumers about products they will be interested at a time they are interested. DNT should permit it as one of the most important values of civil society.
Thomas’s proposal was lambasted by Roy Fielding -- a working group member who recently made a controversial change to the Apache web server in response to Microsoft's announcement about how DNT would be implemented in the IE10 setup process:
[…] raising issues that you know quite well will not be adopted is not an effective way to contribute to this process. […] It is not a permitted use because it is the collection of data for the sake of targeted marketing that the user is specifically trying to turn off.
While many industry members of the Working Group who represent publishers and ad networks are more reasonable than Thomas' comment indicates, episodes like this unfortunately seem to be becoming more frequent, and do not serve to move the process forward.
The Importance of a Meaningful Standard
In light of these tactics, the Tracking Protection Working Group must take a hard line. It would be ideal if a standard emerged that was both palatable enough to be adopted widely by industry, and favorable enough to be a significant change from the pervasive tracking taking place right now. Short of that (and setting aside a weak and unadopted standard), the choices are between a fair standard that somewhat protects user privacy, and a weak standard that does almost nothing for privacy yet is adopted by companies.
Of these two options, a fair standard that meets minimum privacy requirements is necessary for the credibility of the process and the outcome—even if it is not widely adopted right away or in the near future. To be clear, we are NOT suggesting a position that all data collected from DNT users ought to be immediately and perfectly anonymized. Real-world considerations like security do justify allowing some identifiable user data to be kept in a limited fashion. However, there must be a minimum standard met so that we can be assured that companies adhering to the standard are actually making meaningful changes to the way that they collect, process, and store data.
The current draft of the DNT specification simply does not provide users with a minimum bar of protection.
Adopting a standard that fails to meet a minimum privacy bar would be disastrous for DNT. Doing this would legitimize intrusive tracking by ad networks and mislead the public about ongoing data collection practices. The Working Group should be extremely focused on the question of ensuring that a meaningful minimum privacy bar is met, despite the recent hullabaloo which distracts from the hard work of serious members of the group.